On Tue, 13 Dec 2005, Sven Moritz Hallberg wrote:
> is a good scheme. For it to _really_ work, however, we should form a
> registry of "officially assigned" module names (i.e. ones without a
> disambiguation suffix) and also one for the author and/or organization
> names to be used as suffixes. I for example am known by the nickname
> Pesco, or (more recently) by the mnemonic SM at domain KHJK.ORG.
My solution to this problem in SearchPath is module maps. SearchPath
lets you use multiple module maps simultaneously. So you can for
example simultaneously use a global module map as haskell.org, an
industry module map at yourassociate.org, an internal company map
located on your_intranet, and a personal map located on your computer.
Conflicts are handled by the order in which you invoke the maps.
So a map is official to the extent your community shares it.
Different entities can also compete to provide maps of differing
qualities e.g. is the map audited for security issues? does the map
point to the repository head of all modules or a static version? etc.
Clay Shirky famously observed that in namespace construction there is
a pretty direct tradeoff between have names be memorable, global, and
non-political. I think shared module maps represents a good
compromise.
>> I just
>> read your ECT article which seems to start with the same assumption and
>> takes the theory to its logical conclusion.
>> I take that as a compliment. ;) Thank you.
It was intended that way! :-)
> The main issue that springs to my mind is authenticity control. How do I
> know the module I'm downloading is the one I want? Note that this
> question is always there, even in the local case, but it is usually not
> seen as a problem until module sources are distributed over the Net.
I think https URLs solve this problem. You choose module maps from
authors you trust and access those maps via https. These "friendly"
module maps then point to "friendly" modules that you can also access
via https. Since, you choose which CAs you trust to sign server keys,
you are safe from MITM attacks.
Note, I thought about supporting pgp but there is no obvious way to
sign a CVS/SVN/darcs repository and what I like about ECT is that you
can point to such repositories rather than specific checked out
versions in the comfort that things won't break. I LOVE that in
combination with ECT, you get notified that you are using a deprecated
version on the next compile without having to check all your imports
manually.
FYI, the main thing that I would really like, but don't have and can't
implement, is for :r in ghci to invoke SearchPath to hunt for missing
modules rather than forcing you to quit out and restart ghci every
time you add an import of an undownloaded module in your code. Using
searcpath make thing very smooth, but this feature would make it
completely so.
-Alex-
______________________________________________________________
S. Alexander Jacobson tel:917-770-6565 http://alexjacobson.com